Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	usr.bin/signify/fe25519.c	Lines:	191	197	97.0 %
Date:	2017-11-07	Branches:	68	70	97.1 %

Line	Branch	Exec	Source
1			/* $OpenBSD: fe25519.c,v 1.1 2014/07/22 00:41:19 deraadt Exp $ */
2
3			/*
4			* Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
5			* Peter Schwabe, Bo-Yin Yang.
6			* Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c
7			*/
8
9			#define WINDOWSIZE 1 /* Should be 1,2, or 4 */
10			#define WINDOWMASK ((1<<WINDOWSIZE)-1)
11
12			#include "fe25519.h"
13
14			static crypto_uint32 equal(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */
15			{
16		41602	crypto_uint32 x = a ^ b; /* 0: yes; 1..65535: no */
17		20801	x -= 1; /* 4294967295: yes; 0..65534: no */
18		20801	x >>= 31; /* 1: yes; 0: no */
19		20801	return x;
20			}
21
22			static crypto_uint32 ge(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */
23			{
24			unsigned int x = a;
25		1342	x -= (unsigned int) b; /* 0..65535: yes; 4294901761..4294967295: no */
26		671	x >>= 31; /* 0: yes; 1: no */
27		671	x ^= 1; /* 1: yes; 0: no */
28		671	return x;
29			}
30
31			static crypto_uint32 times19(crypto_uint32 a)
32			{
33		3778532	return (a << 4) + (a << 1) + a;
34			}
35
36			static crypto_uint32 times38(crypto_uint32 a)
37			{
38		20778122	return (a << 5) + (a << 2) + (a << 1);
39			}
40
41			static void reduce_add_sub(fe25519 *r)
42			{
43			crypto_uint32 t;
44			int i,rep;
45
46	✓✓	3352261	for(rep=0;rep<4;rep++)
47			{
48		1219004	t = r->v[31] >> 7;
49		1219004	r->v[31] &= 127;
50		1219004	t = times19(t);
51		1219004	r->v[0] += t;
52	✓✓	78016256	for(i=0;i<31;i++)
53			{
54		37789124	t = r->v[i] >> 8;
55		37789124	r->v[i+1] += t;
56		37789124	r->v[i] &= 255;
57			}
58			}
59		304751	}
60
61			static void reduce_mul(fe25519 *r)
62			{
63			crypto_uint32 t;
64			int i,rep;
65
66	✓✓	2345917	for(rep=0;rep<2;rep++)
67			{
68		670262	t = r->v[31] >> 7;
69		670262	r->v[31] &= 127;
70		670262	t = times19(t);
71		670262	r->v[0] += t;
72	✓✓	42896768	for(i=0;i<31;i++)
73			{
74		20778122	t = r->v[i] >> 8;
75		20778122	r->v[i+1] += t;
76		20778122	r->v[i] &= 255;
77			}
78			}
79		335131	}
80
81			/* reduction modulo 2^255-19 */
82			void fe25519_freeze(fe25519 *r)
83			{
84			int i;
85		1342	crypto_uint32 m = equal(r->v[31],127);
86	✓✓	41602	for(i=30;i>0;i--)
87		20130	m &= equal(r->v[i],255);
88		671	m &= ge(r->v[0],237);
89
90		671	m = -m;
91
92		671	r->v[31] -= m&127;
93	✓✓	41602	for(i=30;i>0;i--)
94		20130	r->v[i] -= m&255;
95		671	r->v[0] -= m&237;
96		671	}
97
98			void fe25519_unpack(fe25519 *r, const unsigned char x[32])
99			{
100			int i;
101	✓✓	5963	for(i=0;i<32;i++) r->v[i] = x[i];
102		89	r->v[31] &= 127;
103		89	}
104
105			/* Assumes input x being reduced below 2^255 */
106			void fe25519_pack(unsigned char r[32], const fe25519 *x)
107			{
108			int i;
109		226	fe25519 y = *x;
110		113	fe25519_freeze(&y);
111	✓✓	7458	for(i=0;i<32;i++)
112		3616	r[i] = y.v[i];
113		113	}
114
115			int fe25519_iszero(const fe25519 *x)
116			{
117			int i;
118			int r;
119			fe25519 t = *x;
120			fe25519_freeze(&t);
121			r = equal(t.v[0],0);
122			for(i=1;i<32;i++)
123			r &= equal(t.v[i],0);
124			return r;
125			}
126
127			int fe25519_iseq_vartime(const fe25519 x, const fe25519 y)
128			{
129			int i;
130		356	fe25519 t1 = *x;
131		178	fe25519 t2 = *y;
132		178	fe25519_freeze(&t1);
133		178	fe25519_freeze(&t2);
134	✓✓	9764	for(i=0;i<32;i++)
135	✓✓	4766	if(t1.v[i] != t2.v[i]) return 0;
136		147	return 1;
137		178	}
138
139			void fe25519_cmov(fe25519 r, const fe25519 x, unsigned char b)
140			{
141			int i;
142		36720	crypto_uint32 mask = b;
143		18360	mask = -mask;
144	✓✓	1211760	for(i=0;i<32;i++) r->v[i] ^= mask & (x->v[i] ^ r->v[i]);
145		18360	}
146
147			unsigned char fe25519_getparity(const fe25519 *x)
148			{
149		404	fe25519 t = *x;
150		202	fe25519_freeze(&t);
151		404	return t.v[0] & 1;
152		202	}
153
154			void fe25519_setone(fe25519 *r)
155			{
156			int i;
157		582	r->v[0] = 1;
158	✓✓	18624	for(i=1;i<32;i++) r->v[i]=0;
159		291	}
160
161			void fe25519_setzero(fe25519 *r)
162			{
163			int i;
164	✓✓	1671248	for(i=0;i<32;i++) r->v[i]=0;
165		24944	}
166
167			void fe25519_neg(fe25519 r, const fe25519 x)
168			{
169		49532	fe25519 t;
170			int i;
171	✓✓	1634556	for(i=0;i<32;i++) t.v[i]=x->v[i];
172		24766	fe25519_setzero(r);
173		24766	fe25519_sub(r, r, &t);
174		24766	}
175
176			void fe25519_add(fe25519 r, const fe25519 x, const fe25519 *y)
177			{
178			int i;
179	✓✓	9069388	for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
180		135364	reduce_add_sub(r);
181		135364	}
182
183			void fe25519_sub(fe25519 r, const fe25519 x, const fe25519 *y)
184			{
185			int i;
186		338774	crypto_uint32 t[32];
187		169387	t[0] = x->v[0] + 0x1da;
188		169387	t[31] = x->v[31] + 0xfe;
189	✓✓	10501994	for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe;
190	✓✓	11179542	for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i];
191		169387	reduce_add_sub(r);
192		169387	}
193
194			void fe25519_mul(fe25519 r, const fe25519 x, const fe25519 *y)
195			{
196			int i,j;
197		670262	crypto_uint32 t[63];
198	✓✓	42896768	for(i=0;i<63;i++)t[i] = 0;
199
200	✓✓	22118646	for(i=0;i<32;i++)
201	✓✓	707796672	for(j=0;j<32;j++)
202		343174144	t[i+j] += x->v[i] * y->v[j];
203
204	✓✓	21448384	for(i=32;i<63;i++)
205		10389061	r->v[i-32] = t[i-32] + times38(t[i]);
206		335131	r->v[31] = t[31]; /* result now in r[0]...r[31] */
207
208		335131	reduce_mul(r);
209		335131	}
210
211			void fe25519_square(fe25519 r, const fe25519 x)
212			{
213		284532	fe25519_mul(r, x, x);
214		142266	}
215
216			void fe25519_invert(fe25519 r, const fe25519 x)
217			{
218		226	fe25519 z2;
219		113	fe25519 z9;
220		113	fe25519 z11;
221		113	fe25519 z2_5_0;
222		113	fe25519 z2_10_0;
223		113	fe25519 z2_20_0;
224		113	fe25519 z2_50_0;
225		113	fe25519 z2_100_0;
226		113	fe25519 t0;
227		113	fe25519 t1;
228			int i;
229
230		113	/* 2 */ fe25519_square(&z2,x);
231		113	/* 4 */ fe25519_square(&t1,&z2);
232		113	/* 8 */ fe25519_square(&t0,&t1);
233		113	/* 9 */ fe25519_mul(&z9,&t0,x);
234		113	/* 11 */ fe25519_mul(&z11,&z9,&z2);
235		113	/* 22 */ fe25519_square(&t0,&z11);
236		113	/* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t0,&z9);
237
238		113	/* 2^6 - 2^1 */ fe25519_square(&t0,&z2_5_0);
239		113	/* 2^7 - 2^2 */ fe25519_square(&t1,&t0);
240		113	/* 2^8 - 2^3 */ fe25519_square(&t0,&t1);
241		113	/* 2^9 - 2^4 */ fe25519_square(&t1,&t0);
242		113	/* 2^10 - 2^5 */ fe25519_square(&t0,&t1);
243		113	/* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t0,&z2_5_0);
244
245		113	/* 2^11 - 2^1 */ fe25519_square(&t0,&z2_10_0);
246		113	/* 2^12 - 2^2 */ fe25519_square(&t1,&t0);
247	✓✓	1130	/* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
248		113	/* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t1,&z2_10_0);
249
250		113	/* 2^21 - 2^1 */ fe25519_square(&t0,&z2_20_0);
251		113	/* 2^22 - 2^2 */ fe25519_square(&t1,&t0);
252	✓✓	2260	/* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
253		113	/* 2^40 - 2^0 */ fe25519_mul(&t0,&t1,&z2_20_0);
254
255		113	/* 2^41 - 2^1 */ fe25519_square(&t1,&t0);
256		113	/* 2^42 - 2^2 */ fe25519_square(&t0,&t1);
257	✓✓	1130	/* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
258		113	/* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t0,&z2_10_0);
259
260		113	/* 2^51 - 2^1 */ fe25519_square(&t0,&z2_50_0);
261		113	/* 2^52 - 2^2 */ fe25519_square(&t1,&t0);
262	✓✓	5650	/* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
263		113	/* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t1,&z2_50_0);
264
265		113	/* 2^101 - 2^1 */ fe25519_square(&t1,&z2_100_0);
266		113	/* 2^102 - 2^2 */ fe25519_square(&t0,&t1);
267	✓✓	11300	/* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
268		113	/* 2^200 - 2^0 */ fe25519_mul(&t1,&t0,&z2_100_0);
269
270		113	/* 2^201 - 2^1 */ fe25519_square(&t0,&t1);
271		113	/* 2^202 - 2^2 */ fe25519_square(&t1,&t0);
272	✓✓	5650	/* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
273		113	/* 2^250 - 2^0 */ fe25519_mul(&t0,&t1,&z2_50_0);
274
275		113	/* 2^251 - 2^1 */ fe25519_square(&t1,&t0);
276		113	/* 2^252 - 2^2 */ fe25519_square(&t0,&t1);
277		113	/* 2^253 - 2^3 */ fe25519_square(&t1,&t0);
278		113	/* 2^254 - 2^4 */ fe25519_square(&t0,&t1);
279		113	/* 2^255 - 2^5 */ fe25519_square(&t1,&t0);
280		113	/* 2^255 - 21 */ fe25519_mul(r,&t1,&z11);
281		113	}
282
283			void fe25519_pow2523(fe25519 r, const fe25519 x)
284			{
285		178	fe25519 z2;
286		89	fe25519 z9;
287		89	fe25519 z11;
288		89	fe25519 z2_5_0;
289		89	fe25519 z2_10_0;
290		89	fe25519 z2_20_0;
291		89	fe25519 z2_50_0;
292		89	fe25519 z2_100_0;
293		89	fe25519 t;
294			int i;
295
296		89	/* 2 */ fe25519_square(&z2,x);
297		89	/* 4 */ fe25519_square(&t,&z2);
298		89	/* 8 */ fe25519_square(&t,&t);
299		89	/* 9 */ fe25519_mul(&z9,&t,x);
300		89	/* 11 */ fe25519_mul(&z11,&z9,&z2);
301		89	/* 22 */ fe25519_square(&t,&z11);
302		89	/* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9);
303
304		89	/* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0);
305	✓✓	890	/* 2^10 - 2^5 */ for (i = 1;i < 5;i++) { fe25519_square(&t,&t); }
306		89	/* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0);
307
308		89	/* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0);
309	✓✓	1780	/* 2^20 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); }
310		89	/* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0);
311
312		89	/* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0);
313	✓✓	3560	/* 2^40 - 2^20 */ for (i = 1;i < 20;i++) { fe25519_square(&t,&t); }
314		89	/* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0);
315
316		89	/* 2^41 - 2^1 */ fe25519_square(&t,&t);
317	✓✓	1780	/* 2^50 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); }
318		89	/* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0);
319
320		89	/* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0);
321	✓✓	8900	/* 2^100 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); }
322		89	/* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0);
323
324		89	/* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0);
325	✓✓	17800	/* 2^200 - 2^100 */ for (i = 1;i < 100;i++) { fe25519_square(&t,&t); }
326		89	/* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0);
327
328		89	/* 2^201 - 2^1 */ fe25519_square(&t,&t);
329	✓✓	8900	/* 2^250 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); }
330		89	/* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0);
331
332		89	/* 2^251 - 2^1 */ fe25519_square(&t,&t);
333		89	/* 2^252 - 2^2 */ fe25519_square(&t,&t);
334		89	/* 2^252 - 3 */ fe25519_mul(r,&t,x);
335		89	}


Generated by: GCOVR (Version 3.3)